1. Field of the Invention
The present invention relates to a packet authentication scheme for a security gateway which authenticates whether a received packet is from a proper computer/user or not in order to transfer only proper packets, and a packet packet encryption/decryption scheme for a security gateway which encrypts/decrypts packets in order to prevent the information leakage in a data transfer to an external organization, in a data communication through an open network among a plurality of computers including mobile computers.
2. Description of the Background Art
Due to the spread of the Internet, it has now become possible to login to a remote computer or transfer files to a remote computer. It has also become possible to utilize services such as the electronic mall and the WWW (World Wide Web). On the other hand, in the Internet, the construction of protocols and systems with due consideration to security is delaying so that there are possibilities for illegal conducts such as stealing of secret information or deletion of important files by a malicious user who sneaks into a computer of a remote network, and wiretapping of communication data.
In order to deal with such illegal conducts, a system called firewall or security gateway is often constructed in a network of an organization such as a company. The firewall is a system to be provided at a boundary of the local network of the organization and the global Internet, which realizes the filtering of communication (the control for blocking/passing communication) in order to prevent the information leakage to the external and the improper intrusion from the external.
The firewall has an advantage in that there is no need to provide any special measure to strengthen the security at a computer (host) connected to the internal network (internal net) because the firewall can block all the dangerous communications from the external.
The basic technique used in the firewall is a packet filter, which judges whether a communication packet is for permitted communications or not according to a source host address, a destination host address, and a port number corresponding to the utilized service (such as remote login (telnet), file transfer (ftp), electronic mail (SMTP), electronic news (NNTP), WWW service (http), etc.) which are attached to the communication packet, and relays only the communication packets for the permitted communications. In this technique, a sufficient security function can be provided assuming that the host addresses and the service port number within the packet are hard to alter, However, in practice, it is possible to send a packet with an altered source host address. In order to deal with such an alteration, a system for realizing the packet filtering by means of authentication function using cryptography is available.
For the packet authentication based on cryptography, a technique called MAC (Message Authentication Code) is used in general. In this technique, it is assumed that packet source and destination sides are sharing a secret key information. The source side calculates a digest information for each packet which depends on all bits of data of that packet and a key K, and attaches this digest information to the packet. Namely, the source side calculates MAC=f(K. data), where "f" denotes a MAC calculation algorithm, "data" denotes a packet content. On the other hand, the destination side carries out the same calculation as the source side using the packet content of the received packet and the key K, and when the calculated MAC value coincides with the MAC value attached to the packet, the sender and the fact that the packet content is the transmitted data itself can be authenticated.
The introduction of the authentication function based on MAC into the firewall is described in J. Ioannidis and M. Blaze, "The Architecture and Implementation of Network-Layer Security Under Unix", USENIX/4th UNIX Security Symposium, pp. 29-39 (1993), for example.
In this manner, the sending of a packet with an altered address or port number and the alteration of a packet in a course of packet transfer can be detected, so that the safety of the firewall system can be improved drastically. This system will be referred hereafter as a firewall with authentication function.
However, the applicability of the conventional firewall with authentication function is Limited only to a case where the network to be protected has a single hierarchical level. Namely, the mechanism of the conventional firewall with authentication function is that the source host or the firewall of the network which accommodates the source host attaches the MAC to the packet, and the firewall of the network which accommodates the destination host inspects the MAC, and this mechanism cannot sufficiently deal with a case where networks to be protected are hierarchically organized. This is because, in a case where networks to be protected on the destination side are organized in two hierarchical levels, the key K is shared by the firewall on the source side and the firewall of the first hierarchical level on the destination side so that the MAC can be inspected at the first hierarchical level on the destination side, but the firewall of the second hierarchical level on the destination side is not provided with the key K so that the MAC inspection cannot be carried out at the second hierarchical level on the destination side even when the same packet as received at the first hierarchical Level is also received at the second hierarchical level.
If the key K is shared by all of the firewall on the source side, the firewall, of the first hierarchical level on the destination side, and the firewall of the second hierarchical level on the destination side, then it would be possible for the firewall of the first hierarchical level on the destination side to pretend the firewall of the source side and send packets to the firewall of the second hierarchical level on the destination side improperly.
On the other hand, the portable computers are utilized in various situations recently, and there are, many situations where a portable computer is connected to a multi-sectional network as a mobile computer in order to carry out communications with a server computer of the home network of that mobile computer or a computer of the visited network. Even in such situations, the function of the conventional firewall with authentication function is limited. Namely, in the rirewall with authentication function, the packet inspection can be carried out between the firewall of the visited network and the firewall of the communication target network, but there is no known procedure for consistently realizing the authentication between the mobile computer and the firewall of the visited network and the authentication between the mobile computer and the communication target network.
Apart from the problem of the authentication described so far, there is also a problem regarding the protection of the communication packet content. Namely, for a case of a communication using transfer of highly secret data through an external network, there is a scheme for encrypting the packet content before the data packet is transmitted to the external, and decrypting the encrypted packet at the receiving site. In this scheme, in a case where the network to be protected has a single hierarchical level, it suffices to utilize the directionality of the packet in the judgement of a need for encryption/decryption.
However, in a case where networks to be protected are hierarchically organized, or in the mobile computer environment utilizing the mobile computer, there is an unresolved problem regarding which machine should carry out the control of encryption/decryption by what criteria. In particular, in a case of transferring packets between different hierarchical levels, it has been difficult to secure the safety and at the same time avoid the lowering of the processing efficiency due to the repeated decryption and re-encryption at each hierarchical level. Also, it has been difficult to secure the safety and at the same time flexibly control a part which should be transferred by a cipher communication and a part which should be transferred by a plain text communication.
As described, in the prior art, in a computer network in which networks to be protected are hierarchically organized, it has been difficult to safely protect the network of each hierarchical level. In addition, it has been difficult to carry out the cipher communication efficiently and safely.